Azure Update Manager: WSUS in the Cloud

In an on-premise environment you have your WSUS Server, which manages and governs all updates for your machines (server and clients). Since Microsoft is shifting its portfolio to the cloud, they had to shift their Windows Update services to. The management of updates for clients was integrated into Intune with the Update rings feature. The patching of servers was integrated into the IaaS-service “Automation Account”. This service was once called Update management. With the launch of “Azure Update Management” the old one was rebranded to Azure Automation Update Management. It’s kinda confusing, I know…
The Azure Automation Update Manager depended on the Azure Log Analytics agent, also known as the Microsoft Monitoring Agent (MMA), which retired in August 2024. Update Manager no longer depends on Azure Automation or an installation of an agent. It offers many new features and functionalities like zero on-boarding, Azure Policy support, granular access control, role-based access control, and enhanced flexibility. Thus, it is recommended to move as quickly as possible to Azure Update Manager.

Azure Update Manager is designed to manage and govern updates for all Windows Server OS as well as Linux OS, including those in Azure, on-premises, and other cloud platforms. It allows monitoring Windows and Linux update compliance from a single dashboard and make real-time updates or schedule them within a defined maintenance window.

Prerequisites

Before enabling your Azure or on-premise virtual machines to be updated by Azure Update Manager, you need to meet the following prerequisites:

  1. Linux Machines: Python (version 2.7 or later) must be installed.
  2. Arc-enabled Servers: These must be connected to Azure Arc.
  3. Support Matrix: Refer to the support matrix to check supported updates, VM images, and Azure regions.
  4. Roles and Permissions:
    • Azure VM: Requires Azure Virtual Machine Contributor or the Owner role.
    • Azure Arc-enabled Server: Requires the Azure Connected Machine Resource Administrator role.
  5. VM Extensions: Azure VM and Azure Arc-enabled VM extensions are required but are automatically installed during the first Update Manager operation.
  6. Network Planning:
    • For Windows: Allow traffic to endpoints required by the Windows Update agent.
    • For Red Hat Linux: Refer to RHUI content delivery server IPs.
    • For other Linux distributions: Consult provider documentation.
  7. Configure Windows Update Client: Ensure specific settings for the Windows Update client when using WSUS or Windows Update.

Pricing

As everything in Azure, the service comes with a price tag. Azure Update Manager is available at no extra charge for managing Updates on Azure VMs (even the maintenance configurations, which are Azure resources, are free). Azure Update Manager is also included with Azure benefits for Azure Stack HCI, Extended Security Updates enabled by Azure Arc, and Microsoft Defender for Servers Plan 2. However for all Arc-enabled Servers, the price is $5 (CHF 4.508) per server per month (assuming 31 days of usage).(Azure Update Manager pricing, 07.01.25)

Deployment

The deployment of Azure Update Manager is quite easy. There are basically three things that need to be configured: periodic assessments, maintenance configuration and Windows Update service configuration.

Define periodic assessments

To onboard an Azure VM into the Azure Update Manager, you need to enable the periodic assessment feature. This feature performs a daily check (every 24 hours) for new available updates and reviews the installation status of updates on the assessed VMs. The periodic assessment can be activated directly from the VM menu pane or via the Azure Update Manager interface.
If this feature is not enabled, certain settings under the updates menu pane of the VM will remain disabled, like in the picture below.

To activate the periodic assessment, simply click on Enable now (as shown in the picture above) or go to Update settings and enable it there.

After that, an additional configuration window will appear. In this window, you can enable the periodic assessment on each VM you want to assess via Azure Update Manager. Furthermore, you can set the patch orchestration mode. The patch orchestration mode controls how patches will be applied to the VM. In my scenario the patch orchestration mode is set customer-managed schedules.

There are five different modes you can choose between: 

  1. Customer Managed Schedules: Enables scheduled patching on existing VMs and automatically configures properties (Patch mode = Azure-orchestrated and BypassPlatformSafetyChecksOnUserSchedule = TRUE) with user consent.

  2. Azure Managed – Safe Deployment: The Azure platform orchestrates updates for VM groups, automatically downloading and applying critical and security patches monthly, and rebooting VMs as necessary, with patch mode set to AutomaticByPlatform.

  3. Windows Automatic Updates (AutomaticByOS): Automatically downloads and installs OS updates, rebooting VMs as needed, ideal for non-critical workloads.

  4. Manual Updates: Disables automatic updates, requiring patches to be installed manually or through other solutions.

  5. Image Default (Linux VMs): Uses the default patching configuration specified in the image used to create the VM.

Define the maintenance configuration

After enabling the periodic assessment and setting the patch orchestration mode to Customer Managed Schedules, it is essential to define a maintenance window to install updates on the VMs configured with this patch mode. This can be done either through the VM menu pane or the Azure Update Manager interface.

For example, you can define two maintenance windows for a single VM, scheduled to follow Microsoft’s monthly Patch Tuesdays (on the second and fourth Tuesday of each month). This configuration is recommended for non-critical workload environments where rapid and frequent patching is necessary, as in my scenario.

The targeting of these maintenance windows can be applied to other VMs later, ensuring a consistent and efficient update strategy across all VMs.

As with every resource in Azure, various details such as subscription, resource group, etc., need to be specified when creating a maintenance configuration. Additionally, you must configure the maintenance scope, reboot settings, and the schedule for the maintenance windows. This involves selecting which resources are to be updated, determining the reboot behaviour of the VM, and scheduling the maintenance windows accordingly.

In this example, I configured a maintenance window for the fist Patch Tuesday* of the month. The settings include setting the maintenance scope to Guest (Azure VM, Arc-enabled VMs/servers), reboots as necessary and scheduled the maintenance window for every second Wednesday of the month at 12 AM. The scheduled window is set to be 3 hours and 55 minutes long, which is the maximum allowable configuration time.

To target the maintenance configuration, you have two options: dynamic assignment or direct assignment to resources. With the dynamic assignment, you can only scope it at the subscription layer. Therefore, I recommend assigning the configuration directly to the VMs for more precise control for each type and use of the workload.

In the Updates tab, you can configure which types of updates should be installed, including specific Windows Update (KB) IDs that can be included or excluded. By default, only Critical updates and Security updates are installed for Windows systems in a maintenance window. I recommend also activating the following categories: Update Roll-ups, Feature Packs, Service Packs, and Definition Updates (depending on the system and use case). With these settings, all “important” updates, such as Defender updates, will be installed automatically.

After configuring the updates, you can verify which VMs the maintenance settings have been assigned to. Navigate to Azure Update Manager and then to the Machines section. In the Associated Schedules column, the schedules are listed for each VM, allowing you to review the maintenance configurations at a glance.

Repeat the previous steps to configure the second maintenance window for the second Patch Tuesday* of the month. Set this window for every fourth Wednesday of the month at 12 AM (UTC+1) and schedule it to last for 3 hours and 55 minutes, following the second Patch Tuesday.

*NOTE: Adjust the schedules of your maintenance configurations based on your SLA and time zone dependency to the Microsoft Patch Tuesday.

Windows Update service configuration

Azure Update Manager utilizes the Windows Update client to manage and install updates directly on the Windows system. To ensure an effective update process after configuring your settings in Azure, you can adjust several parameters on the VMs or via Group Policies. Here are some key considerations and steps:

Control Update Settings
You can manage many settings for the Windows Update client through Local Group Policy Editor, Group Policy, PowerShell, or by directly editing the Registry. Azure Update Manager respects these settings, including those for non-Windows updates if enabled.

Avoid Pre-Downloading Updates
Pre-downloading updates is not supported by Azure Update Manager. Therefore, avoid using AUOptions settings for pre-downloads, as they can conflict with Azure Update Manager’s mechanisms, which set NoAutoUpdate=1 by default.

Configure Reboot Settings Carefully
Proper configuration of registry keys related to automatic updates and restarts is crucial. Incorrect settings may cause unexpected reboots, even if Never Reboot is specified in the maintenance configuration.

Enable Updates for Other Microsoft Products
By default, the Windows Update client only fetches OS updates. To enable updates for other Microsoft products:

  • In Windows Update, select Check online for Windows updates and enable Give me updates for other Microsoft products when I update Windows.
  • For older OS versions not using Update Manager’s scheduled patching, apply the following PowerShell script:
$ServiceManager = (New-Object -com "Microsoft.Update.ServiceManager")
$ServiceManager.Services
$ServiceID = "7971f918-a847-4430-9279-4a52d1efe18d"
$ServiceManager.AddService2($ServiceId,7,"")


Manage Updates via Group Policy in Azure Update Manager
If your machine is patched using Azure Update Manager with Automatic Updates enabled, you can exert further control through Group Policy:

  • Navigate to Computer Configuration Administrative Templates Windows Components Windows Update Manage end user experience, and configure the settings as required.

  • For Windows Server 2022, the configuration path remains the same but under Windows Components Windows Update Configure Automatic Updates.

Alerting (Preview)

It is also possible to set up alerting for various Azure Update Manager metrics. This is currently still in preview. The alerting mechanism is based on the Azure Monitor (alert rules and action groups). I personally, would recommend configuring the alerting. Especially in case of failed updates or failed maintenance windows. You can create the alert rules directly in the Azure Update Manager pane on the left side in the Monitoring section of the menu.

Reporting and Compliance in Azure Update Manager

Azure Update Manager offers several features for reporting and compliance. On the Overview Page, you can see different charts and metrics which include:

  • Update Status of All Machines: Displays the update installation status for all monitored machines.
  • Patch Orchestration Configuration of Azure Virtual Machines: Shows the current patch orchestration settings.
  • Update Installation Status Over the Last 30 Days: Summarizes update activities over the past month.
  • Pending Updates for Linux and Windows: Highlights machines with pending updates segregated by OS type.

Each chart includes a link in the bottom left corner to open a detailed Kusto Query Language (KQL) query, allowing you to dive deeper into the metrics and perform more analyses with your needs via KQL.

Targeting Azure Policies with Azure Update Manager

You can now easily manage Azure Update Manager compliance using Azure Policies. Various predefined policies are available under Azure Update Manager Manage Policy. These built-in Azure Policies make it easy to configure baseline for your Azure Update Manager and the managed resources, ensuring that your environment remains compliant.

Here are some built-in Azure Policies you can use:

  1. [Preview]: Set Prerequisite for Scheduling Recurring Updates on Azure Virtual Machines
    • This policy ensures that Azure VMs are configured to automatically manage patch scheduling. It sets the patch mode to ‘AutomaticByPlatform’ and enables ‘BypassPlatformSafetyChecksOnUserSchedule’ to ‘True’. The policy does not apply to Arc-enabled servers. This policy comes in handy, if you deploy new Azure VM with the wrong Update settings
  2. Configure Periodic Checking for Missing System Updates on Azure Arc-Enabled Servers
    • This policy configures auto-assessment for OS updates on Azure Arc-enabled servers every 24 hours. It controls the scope based on subscription, resource group, location, or tag, ensuring Arc-enabled servers remain up-to-date.
  3. Configure Periodic Checking for Missing System Updates on Azure Virtual Machines
    • This policy ensures that native Azure VMs automatically check for missing system updates every 24 hours. It can be scoped based on the machine’s subscription, resource group, location, or tag, maintaining an updated environment.
  4. Machines Should Be Configured to Periodically Check for Missing System Updates
    • This policy ensures periodic assessments for missing system updates for both Azure VMs and Azure Arc-enabled servers. The AssessmentMode property is set to ‘AutomaticByPlatform’ to trigger these checks automatically every 24 hours.

Sources
Azure Update manager – Pricing | Microsoft Azure
About Azure Update Manager

You might also like
Tags: Microsoft, Microsoft Azure

More Similar Posts